CVE-2026-30460
Published: 07 April 2026
Description
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of flaws like this authenticated RCE vulnerability in FuelCMS Blocks module to prevent exploitation.
Mandates validation of inputs to the Blocks module, directly countering the code injection (CWE-94) mechanism of this RCE.
Enforces least privilege for low-privilege authenticated users, limiting the scope and impact of RCE even if exploited in the Blocks module.
Security SummaryAI
CVE-2026-30460 is an authenticated remote code execution (RCE) vulnerability affecting Daylight Studio FuelCMS version 1.5.2, specifically within the Blocks module. Published on 2026-04-07, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (code injection), alongside NVD-CWE-noinfo.
An attacker with low-privilege authenticated access can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the server, resulting in high impacts to confidentiality, integrity, and availability.
Advisories and related resources, including those from Pentest-Tools (PTT-2025-027 on improper authorization), the FuelCMS GitHub repository, and official sites at daylight.com and fuelcms.com, provide further details but no specific patch information is detailed in the CVE record. Security practitioners should review these references for mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated RCE in a public-facing web application (CMS) via code injection directly maps to exploitation of public-facing applications for initial access.